Include and Exclude Rules

You can use include and excludeprocessing rules to specify what kind of data is sent to Sumo Logic.

If you specifically exclude a message, it functions as a blacklist filter, and the data will never be sent to Sumo Logic.

Include filters are whitelist filters, which can be useful when the list of log data you want to send to Sumo Logic is easy to filter. You can set up a whitelist filter instead of setting up exclude filters for all of the types of messages you'd like to exclude. For example, to include only messages coming from a Cisco ASA firewall, you could use the following:

Rules and Limitations

Your rule must match the entire message, from the start to the end of any log message rather than addressing only a section.

For single line messages, you must prefix and suffix the regex expression with .* if the matching string pattern is not at the beginning or end of the line. For example, if you want to exclude any message containing the words "secure" or "security", write the rule:

.*secur.*

For multiline messages, add single line modifiers (?s) to the beginning and end of the expression to simplify matching your string, regardless of where it occurs in the message. For example, if you want to exclude any Windows Event message containing the Event Code 5156, write the rule like this:

A rule will process single line log messages until 1MB of data is processed and multiline log messages until 2,000 lines or 512KB of data is processed, whichever comes first. Once these limits are reached the processing rule will ignore the rest of the log message and move on to the next log.

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.